Why Should I worry about email security?
Email is the most common, universal form of Internet communications. Email has been outliving claims that “Email is Dead” for over a decade and will continue for decades to come.
And, email is remarkably insecure.
So you need to ask a question when considering email security: what am I using my email for? What you are communicating and to whom helps define the level of security you’re seeking…and that is needed.
This is important because some of the protections against email abuse (like encryption) can be a challenge to install for the average user. They aren’t merely a download and automatic installation. We explain that below.
In addition, although keeping email content private is vitally important, it’s equally important to be sure you know who sent you the email in the first place. It’s very easy to spoof the “From:” address of an email, and it happens a lot. You may have received an email from a good friend asking you to send money because she/he claims to be lost in some far-away country without any. That’s almost certainly a spoofed email.
Encryption (scrambling your message) and authenticity (knowing who really sent the message) are the two pillars of secure communication. You must have both to securely send private messages between two parties.
Is email encryption necessary?
The short answer is, “Yes.”
Encrypting email is an important and useful privacy technique to protect you from surveillance by the government and groups who want to prevent you from doing your work as an activist. If you encrypt, your email can’t be read by anyone but the person for whom it’s intended.
Additionally, if we as a movement all encrypt our email – even email that is not private or considered important enough to be encrypted – then we create a standard for movement communications that makes us stronger. Also, government investigators look for anomalies in routine communications — are you doing something that you usually don’t? — and that draws their attention. If you encrypt your email usually, you may be adding a bit more security.
How do I encrypt my email?
If you are looking for a new email account, there are several email providers that take extra precautions to protect your email. They can’t automatically make all your email communications encrypted, but they vastly improve upon what you get from a standard corporate account:
Riseup: allows you to store your email in an encrypted form when it is sitting on their servers. Riseup has a long movement history of fighting subpoenas and other legal threats to their users’ data
While not movement based, both Protonmail and Tutanota take extra precautions to ensure all data on their servers is un-readable by them.
If you want to stick with your email account, or provide greater control over encrypting your email, we suggest using OpenPGP.
This approach requires setting up several different programs and extensions of those programs. It also requires some upkeep. Your public key has to be maintained and kept up to date. It’s not automatic.
You have to decide whether keeping your privacy is important enough for the hassle involved in encryption. Some people think it’s not. We strongly believe that it is.
In any case, what you decide should dictate what you include in your emails. The key to communication over the internet is to be conscious of the security environment and how it matches what you are sending.
How does OpenPGP email encryption work?
You don’t need to know all the technical details to be able to use encryption, but it helps to have some basic information about the technology before you get started implementing it.
Public and private keys
The main thing to understand about the technology behind encryption is that it relies on keys, i.e. small text files comprised of seemingly random characters. In order to use OpenPGP, the encryption technology compatible with both PGP and GPG software, you need to generate a public/private key pair.
That means you will need two keys. One is public, and the other is private.
The public key is made available by you on the internet via a network of computers called “key servers” (usually housed at universities or large companies). The private key is only on your computer and stays there.
These two keys are generated together because they have a special relationship: A message encrypted with the public key can only be decrypted with the private key. A message that uses a signature generated from a private key can be validated with the public key to make sure that it isn’t a spoofed email.
As the name implies, the private key should be kept private. It should be saved on your personal computer, preferably one that nobody else can access. Furthermore, you would typically password-protect your private key, meaning that every time you want to use it, you will need to enter a password.
The public key, as we said above, can be freely given to anyone.
If someone has your public key, they will be able to send you an encrypted message. If you have a person’s public key, you can send that person an encrypted message. (Note: you cannot send someone an encrypted message unless you already have their public key.)
An email signature generated from your private key adds an extra layer of protection to your email by allowing the recipient to verify (using your public key) that the email is from who it says it’s from.
That’s the theory. Now the practice.
How do I get started with email encryption?
First, you need special software to properly encrypt and authenticate your emails.
One of the most popular programs is PGP, which stands for Pretty Good Privacy, a corporate trademark currently held by Symantec.
However, we recommend GnuPG (also known as GPG), which stands for GNU Privacy Guard. GnuPG is free and open source, so it’s not tied to any corporation.
Using GnuPG
For the most part, using encryption is possible only when using an email client (instead of using your web browser to check and write emails). If you use web-based mail (such as Gmail) via your web browser, the people providing you with that web-based mail service would have to provide an encryption option for you to use. This means the encryption software would be on their servers.
On a cell phone, you can use the K9 android email application along with the Open Key Chain Easy PGP on Android or the IPGMail app with the standard iOS mail program for iPhones and iPads.
On a desktop computer, we recommend using Mozilla’s Thunderbird, which you can download and use for free.
Once you’ve installed Thunderbird, it’s time to downlaod the GnuGP encryption software.
Getting GnuPG for Mac
If you’re a Mac user, download and install GPG Suite, which provides the core GnuPG software for Mac OS. This also installs GPG Keychain, the GnuPG assistant program that you use to generate your private/public key pair. GPG Keychain is the interface that gives you access to the GnuPG technology, which otherwise works invisibly in the background.
Follow the instructions here to create your key pair with GPG Keychain.
Getting GnuPG for Windows
Windows users should download and install Gpg4win, which provides the core GnuPG software for PCs. This also installs Kleopatra, the GnuPG assistant program that you use to generate your private/public key pair. Kleopatra is the interface that gives you access to the GnuPG technology, which otherwise works invisibly in the background.
Follow the instructions here to create your key pair with Kleopatra.
Using GnuPG with Thunderbird
Once you’ve installed Thunderbird and GnuPG (and its assistant program), you will then need to install Enigmail, a Thunderbird add-on (plugin) that allows Thunderbird to use OpenPGP encryption.
How do I install and configure Enigmail with Thunderbird?
Open Thunderbird and select “Add-ons” from the Tools menu.
Then click on “Extensions” on the left-hand side of the Add-ons window.
You should then see a “Search all add-ons” bar at the top. Type “Enigmail” there and hit enter. If it’s not already installed, the Enigmail add-on should appear in the list of results.
Click on the “Install” button next to Enigmail, and Thunderbird will automatically download and install the add-on.
After the installation is complete, click on “Restart now” to reopen Thunderbird. There should now be an Enigmail menu item in the top menu bar of Thunderbird.
Finally, click on Enigmail in that top menu bar and select “Setup Wizard.” This will take you through the steps to complete the integration of Enigmail and Thunderbird. It should automatically find the key pair that you set up with the GnuGP assistant program.
You can find out more about how to use Enigmail and Thunderbird here.